Intrusion Detection Message Exchange Format (IDMEF) Parameters2006-10-042007-03-14Class and Attribute NamesIETF ConsensusReferenceoriginSourcespoofedTargetdecoyAdditionalDatatypeImpactseverityImpactcompletionImpacttypeActioncategoryConfidenceratingNodecategoryAddresscategoryUsercategoryUserIdcategoryFilecategoryFilefstypeFileAccesspermissionLinkagecategoryChecksumalgorithmAttribute ValuesSpecification RequiredReferenceorigin0unknownOrigin of the name is not knownReferenceorigin1vendor-specificA vendor-specific name (and hence, URL);
this can be used to provide
product-specific informationReferenceorigin2user-specificA user-specific name (and hence, URL);
this can be used to provide
installation-specific informationReferenceorigin3bugtraqidThe SecurityFocus ("Bugtraq")
vulnerability database identifier
(http://www.securityfocus.com/bid)Referenceorigin4cveThe Common Vulnerabilities and Exposures
(CVE) name (http://cve.mitre.org/)Referenceorigin5osvdbThe Open Source Vulnerability Database
(http://www.osvdb.org)Sourcespoofed0unknownAccuracy of source information unknownSourcespoofed1yesSource is believed to be a decoySourcespoofed2noSource is believed to be "real"Targetdecoy0unknownAccuracy of target information unknownTargetdecoy1yesTarget is believed to be a decoyTargetdecoy2noTarget is believed to be "real"AdditionalDatatype0booleanThe element contains a boolean value, i.e.,
the strings "true" or "false"AdditionalDatatype1byteThe element content is a single 8-bit byte
(see Section 3.2.4)AdditionalDatatype2characterThe element content is a single character
(see Section 3.2.3)AdditionalDatatype3date-timeThe element content is a date-time string
(see Section 3.2.6)AdditionalDatatype4integerThe element content is an integer (see
Section 3.2.1)AdditionalDatatype5ntpstampThe element content is an NTP timestamp (see
Section 3.2.7)AdditionalDatatype6portlistThe element content is a list of ports (see
Section 3.2.8AdditionalDatatype7realThe element content is a real number (see
Section 3.2.2AdditionalDatatype8stringThe element content is a string (see
Section 3.2.3AdditionalDatatype9byte-stringThe element content is a byte[] (see
Section 3.2.4AdditionalDatatype10xmltextThe element content is XML-tagged data (see
Section 5.2Impactseverity0infoInformation onlyImpactseverity1lowLow severityImpactseverity2mediumMedium severityImpactseverity3highHigh severityImpactcompletion0failedThe attempt was not successfulImpactcompletion1succeededThe attempt succeededImpacttype0adminAdministrative privileges were attempted or
obtainedImpacttype1dosA denial of service was attempted or
completedImpacttype2fileAn action on a file was attempted or
completedImpacttype3reconA reconnaissance probe was attempted or
completedImpacttype4userUser privileges were attempted or obtainedImpacttype5otherAnything not in one of the above categoriesActioncategory0block-installedA block of some sort was installed to
prevent an attack from reaching its
destination. The block could be a
port block, address block, etc., or
disabling a user account.Actioncategory1notification-sentA notification message of some sort
was sent out-of-band (via pager,
e-mail, etc.). Does not include the
transmission of this alert.Actioncategory2taken-offlineA system, computer, or user was taken
offline, as when the computer is shut
down or a user is logged off.Actioncategory3otherAnything not in one of the above
categories.Confidencerating0lowThe analyzer has little confidence in its
validityConfidencerating1mediumThe analyzer has average confidence in its
validityConfidencerating2highThe analyzer has high confidence in its
validityConfidencerating3numericThe analyzer has provided a posterior
probability value indicating its
confidence in its validityNodecategory0unknownDomain unknown or not relevantNodecategory1adsWindows 2000 Advanced Directory ServicesNodecategory2afsAndrew File System (Transarc)Nodecategory3codaCoda Distributed File SystemNodecategory4dfsDistributed File System (IBM)Nodecategory5dnsDomain Name SystemNodecategory6hostsLocal hosts fileNodecategory7kerberosKerberos realmNodecategory8ndsNovell Directory ServicesNodecategory9nisNetwork Information Services (Sun)Nodecategory10nisplusNetwork Information Services Plus (Sun)Nodecategory11ntWindows NT domainNodecategory12wfwWindows for WorkgroupsAddresscategory0unknownAddress type unknownAddresscategory1atmAsynchronous Transfer Mode network addressAddresscategory2e-mailElectronic mail address (RFC 822)Addresscategory3lotus-notesLotus Notes e-mail addressAddresscategory4macMedia Access Control (MAC) addressAddresscategory5snaIBM Shared Network Architecture (SNA)
addressAddresscategory6vmIBM VM ("PROFS") e mail addressAddresscategory7ipv4-addrIPv4 host address in dotted decimal
notation (a.b.c.d)Addresscategory8ipv4-addr-hexIPv4 host address in hexadecimal notationAddresscategory9ipv4-netIPv4 network address in dotted decimal
notation, slash, significant bits
(a.b.c.d/nn)Addresscategory10ipv4-net-maskIPv4 network address in dotted decimal
notation, slash, network mask in
dotted decimal notation (a.b.c.d/w.x.y.z)Addresscategory11ipv6-addrIPv6 host addressAddresscategory12ipv6-addr-hexIPv6 host address in hexadecimal notationAddresscategory13ipv6-netIPv6 network address, slash, significant
bitsAddresscategory14ipv6-net-maskIPv6 network address, slash, network maskUsercategory0unknownUser type unknownUsercategory1applicationAn application userUsercategory2os-deviceAN operating system or device userUserIdcategory0current-userThe current user id being used by the user
or process. On Unix systems, this would
be the "real" user id, in general.UserIdcategory1original-userThe actual identity of the user or process
being reported on. On those systems that
(a) do some type of auditing and (b)
support extracting a user id from the
"audit id" token, that value should be
used. On those systems that do not
support this, and where the user has
logged into the system, the "login id"
should be used.UserIdcategory2target-userThe user id the user or process is
attempting to become. This would apply,
on Unix systems for example, when the user
attempts to use "su," "rlogin," "telnet,"
etc.UserIdcategory3user-privsAnother user id the user or process has
the ability to use, or a user id
associated with a file permission. On
Unix systems, this would be the
"effective" user id in a user or process
context, and the owner permissions in a
file context. Multiple UserId elements of
this type may be used to specify a list of
privileges.UserIdcategory4current-groupThe current group id (if applicable) being
used by the user or process. On Unix
systems, this would be the "real" group
id, in general.UserIdcategory5group-privsAnother group id the group or process has
the ability to use, or a group id
associated with a file permission. On
Unix systems, this would be the
"effective" group id in a group or process
context, and the group permissions in a
file context. On BSD-derived Unix
systems, multiple UserId elements of this
type would be used to include all the
group ids on the "group list."UserIdcategory6other-privsNot used in a user, group, or process
context, only used in the file context.
The file permissions assigned to users who
do not match either the user or group
permissions on the file. On Unix systems,
this would be the "world" permissions.Filecategory0currentThe file information is from after the
reported changeFilecategory1originalThe file information is from before the
reported changeFilefstype0ufsBerkeley UNIX Fast File SystemFilefstype1efsLinux "efs" file systemFilefstype2nfsNetwork File SystemFilefstype3afsAndrew File SystemFilefstype4ntfsWindows NT File SystemFilefstype5fat1616-bit Windows FAT File SystemFilefstype6fat3232-bit Windows FAT File SystemFilefstype7pcfs"PC" (MS-DOS) file system on CD-ROMFilefstype8jolietJoliet CD-ROM file systemFilefstype9iso9660ISO 9660 CD-ROM file systemFileAccesspermission0noAccessNo access at all is allowed for this
userFileAccesspermission1readThis user has read access to the fileFileAccesspermission2writeThis user has write access to the fileFileAccesspermission3executeThis user has the ability to execute
the fileFileAccesspermission4searchThis user has the ability to search
this file (applies to "execute"
permission on directories in UNIX)FileAccesspermission5deleteThis user has the ability to delete
this fileFileAccesspermission6executeAsThis user has the ability to execute
this file as another userFileAccesspermission7changePermissionsThis user has the ability to change
the access permissions on this fileFileAccesspermission8takeOwnershipThis user has the ability to take
ownership of this fileLinkagecategory0hard-linkThe <name> element represents another name
for this file. This information may be
more easily obtainable on NTFS file
systems than others.Linkagecategory1mount-pointAn alias for the directory specified by
the parent's <name> and <path> elements.Linkagecategory2reparse-pointApplies only to Windows; excludes symbolic
links and mount points, which are specific
types of reparse points.Linkagecategory3shortcutThe file represented by a Windows
"shortcut." A shortcut is distinguished
from a symbolic link because of the
difference in their contents, which may be
of importance to the manager.Linkagecategory4streamAn Alternate Data Stream (ADS) in Windows;
a fork on MacOS. Separate file system
entity that is considered an extension of
the main <File>.Linkagecategory5symbolic-linkThe <name> element represents the file to
which the link points.Checksumalgorithm0MD4The MD4 algorithm.Checksumalgorithm1MD5The MD5 algorithm.Checksumalgorithm2SHA1The SHA1 algorithm.Checksumalgorithm3SHA2-256The SHA2 algorithm with 256 bits length.Checksumalgorithm4SHA2-384The SHA2 algorithm with 384 bits length.Checksumalgorithm5SHA2-512The SHA2 algorithm with 512 bits length.Checksumalgorithm6CRC-32The CRC algorithm with 32 bits length.Checksumalgorithm7HavalThe Haval algorithm.Checksumalgorithm8TigerThe Tiger algorithm.Checksumalgorithm9GostThe Gost algorithm.